You can view system and user-defined alerts and check whether their notifications are activated.

Prerequisites

  • Verify that you are logged in to the vRealize Log Insight web user interface, for which the URL format is https://log_insight-host. Here, log_insight-host is the IP address or host name of the vRealize Log Insight virtual appliance.
  • Verify that your user account is associated with a role that has the relevant permissions for alerts.

    If your user account is assigned a role with view access to alerts (for example, the User role), you can view all the alerts in your organization . However, you can manage only your own alerts.

    If your user account is assigned a role with edit or full access to alerts (for example, the Super Admin role):
    • You can activate or deactivate all the system alerts in your organization.
    • You can create, modify, and remove all the user-defined alerts in your organization.
    For information about roles, see Create and Modify Roles in Administering vRealize Log Insight.

Procedure

  • To view system alerts, navigate to the Alerts tab. On the left pane, click System Alerts.
    You see a list of system alerts with information about their status and frequency. You can activate or deactivate individual alerts by using the toggle button. To activate or deactivate multiple alerts, select the alerts and then select Actions > Enable or Actions > Disable.
  • To view user-defined alerts, navigate to the Alerts tab. On the left pane, click Alerts.
    You see a list of user-defined alerts with information about their status, owner, origin, and target. For content pack alerts, the content pack name is listed in the Origin column. You can perform the following tasks:
    • Search for alerts by using the text search.
    • Filter alerts by origin or alert type and click Apply.

      When you filter alerts by origin, you can select user-defined, general alerts, or alerts for specific content packs.

      When you filter alerts by alert type, you can select real-time alerts, which are alerts based on every match. You can also select count-based alerts, which are alerts based on the total count of events, unique count of a field, or aggregation operation on a field.

    • Sort alerts by alert details, status, owner, and so on.
    • Add or remove columns to control the alert information displayed. Click the Show or hide columns icon in the lower left corner and select or clear columns according to your requirement.
      Tip:
      • The value in the Owner column is the name of the user who defines the alert. For content pack alerts, this value is blank or System.

        For alerts created in vRealize Log Insight 8.4 or earlier, the value in the Owner column is a user assigned to the Super Admin role.

      • The value in the Last Hit column remains never until the first hit occurs.
    • Activate or deactivate individual alerts by using the toggle button. To activate or deactivate multiple alerts, select the alerts and then select Actions > Enable or Actions > Disable.
    • View the log results for the query associated with an alert. Click the alert and then click Run Query to open the query in Interactive Analytics.
    • Modify an alert.
    • Remove one or more alerts. To remove an alert, click the three dots icon against the alert and click Delete. To remove multiple alerts, select the alerts and then select Actions > Delete.
  • To view content pack alerts, navigate to the Content Packs tab. On the left pane, click a content pack and then click the Alerts tab.
    If your user account is assigned a role with full access for content packs and alerts, you can activate a content pack alert and modify its notifications in the Alerts page. However, you cannot update or remove the content pack alert.

Example: Activate an Alert from the VMware - vSphere Content Pack

The VMware - vSphere content pack contains several predefined alert queries, including the ESXi: Stopped logging alert.

Enabling the ESXi: Stopped logging alert is a good practice, because certain versions of ESXi hosts might stop sending syslog data when you restart vRealize Log Insight. This alert monitors for the vCenter Server event esx.problem.vmsyslogd.remote.failure to detect if there is an ESXi host that has stopped sending syslog feeds.

  1. On the Alerts tab, click Alerts on the left pane.
  2. For the VMware - vSphere content pack, click *** CRITICAL *** ESXi: Stopped logging.
  3. Activate email notifications, webhook notifications, or vRealize Operations notification events.
  4. Click Enable.

To detect only ESXi hosts that stop sending feeds to your instance of vRealize Log Insight, you can add the following filter to the alert query: vc_remote_host (VMware - vSphere) contains <log-insight-hostname>, and save the new query to your alerts.

For details about syslog problems and solutions, see the Knowledge Base article VMware ESXi 5.x host stops sending syslogs to the remote server (2003127) at https://kb.vmware.com/kb/2003127.